SaFi Bank Space : How to Integrate a Micronaut application with Hashicorp Vault

Created by zhenghong.li, last modified by Bernard Nauwelaerts on Oct 18, 2022

This document describes the steps a developer can take as to have a Micronaut application sourcing properties from Hashicorp Vault.

A branch for jira-gateway illustrates what needs to be done.

The build pipelines need to have VAULT_ADDR set to a valid vault address and VAULT_TOKEN set to whatever value for the builds to succeed.

Introduction

Applications currently source properties values through environment variables such as KAFKA_URL in the following application.yml example

kafka:
  bootstrap:
    servers: ${KAFKA_URL}

We want to have those values stored in Hashicorp Vault instead of having them set as environment variables, and we can achieve this transparently leveraging the Micronaut Vault integration feature.

The framework will lookup secrets in the Vault, and set the corresponding variables accordingly, reducing the steps to be taken by developers to the following:

1. Add the following dependency to build.gradle.kts 

implementation("io.micronaut.discovery:micronaut-discovery-client")

2. Add the following to the application’s bootstrap.yml, under the resources directory

micronaut:
  application:
    name: my-awesome-app
  config-client:
    enabled: true
vault:
  client:
    config:
      enabled: true
    kv-version: V2
    secret-engine-name: secrets/app-properties
    uri: ${VAULT_ADDR}
    token: ${VAULT_TOKEN}

The micronaut.application.name has to be here, set per actual application name, and can be removed from the application.yml.

3. Use app’s Kotlin chart version >= 0.3.12 and add the following to the app's Helm chart’s values

kotlin:
  micronaut:
    vault:
      endpoint: https://vault.hcv.dev.safibank.online:8200
      kubernetesAuthentication: true

With this configuration, Micronaut will fetch values from Hashicorp Vault at application startup and replace configuration placeholders automatically.

11:39:58.573 [main] INFO  i.m.context.DefaultBeanContext - Reading bootstrap environment configuration
11:39:59.151 [main] INFO  i.m.d.c.c.DistributedPropertySourceLocator - Resolved 4 configuration sources from client: compositeConfigurationClient(vault-config-client-v2)
11:39:59.216 [main] INFO  io.micronaut.runtime.Micronaut - Startup completed in 796ms. Server Running: http://localhost:8080

In order to take new Vault values into account, such a Micronaut application has to be restarted.

Attachments:

image-20220901-102703.png (image/png)
image-20220901-102851.png (image/png)